[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] tcg: fix segfault when MO_UNALN is set
|
From: |
Richard Henderson |
|
Subject: |
Re: [Qemu-devel] [PATCH] tcg: fix segfault when MO_UNALN is set |
|
Date: |
Tue, 26 May 2015 09:10:26 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 |
On 05/26/2015 08:57 AM, Yongbok Kim wrote:
> On 26/05/2015 16:49, Richard Henderson wrote:
>> On 05/26/2015 05:46 AM, Yongbok Kim wrote:
>>> MO_UNALN caused segfaults when it is set, it reached out of boundary of
>>> load/ store function pointer arrays in tcg_out_qemu_{ld,st}_slow_path()
>>> or its equivalents.
>>
>> I'd like to know more about this crash please. Where does it happen?
>>
>>
>> r~
>>
>
> tcg/i386/tcg-target.c
>
>> static void * const qemu_st_helpers[16] = {
>> [MO_UB] = helper_ret_stb_mmu,
>> [MO_LEUW] = helper_le_stw_mmu,
>> [MO_LEUL] = helper_le_stl_mmu,
>> [MO_LEQ] = helper_le_stq_mmu,
>> [MO_BEUW] = helper_be_stw_mmu,
>> [MO_BEUL] = helper_be_stl_mmu,
>> [MO_BEQ] = helper_be_stq_mmu,
>> };
>
> ...
>
>> static void tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
>> {
>
>> TCGMemOp opc = get_memop(oi);
>
>> /* "Tail call" to the helper, with the return address back inline. */
>> tcg_out_push(s, retaddr);
>> tcg_out_jmp(s, qemu_st_helpers[opc]);
>
> Here is the crashing point...
Ah, I think I'd masked things in there. But clearly not.
Your patch has the nice property of not having to modify all the backends, but
it has the unfortunate property that make* and get* become asymmetrical.
I'll try to come up with an alternative soon, and we'll see how messy it gets.
r~